The Kingdom of Bahrain’s Law No. 30 of 2018 promulgating the Personal Data Protection Law (‘PDPL’), which came into effect on 1, August 2019, gives data subjects resident in the Kingdom the right to object to decisions made based only on automatic processing (Article 22 of the PDPL).

The banking and finance sector is likely to be impacted by this new statutory right.

A Practical Scenario: Automated Loan and Scoring Decisions

An automated process for scoring loans can calculate and score qualitative and quantitative risk factors and weigh each according to the type of loan in order to automatically generate a loan decision.

Automating loan decisions are said to be highly beneficial to the banking and finance sector as a whole for the following reasons:

• it enables banks to provide loan applicants with quick answers and enhances the loan process substantially. In more practical scenarios; financial institutions use technology to score simpler loans allowing analysts to focus on more complex credits. Alternatively, different categories, high quality weak and intermediate loan requests could also be created using scoring outcomes for the financial staff to further analyse intermediate applications; and
• it increases consistency and compliance with the bank’s loan policy and culture, meaning that staff spread across several segments are less likely to misinterpret lending policies.

The Right to Object

While described as a ‘right to object’ to decisions based on automated processing, the right granted under Article 22 to individuals (potential borrowers in this scenario) is actually a right to request processing in a manner that is not solely automated.
Article22 (1) states, in part (in its English translation):

“If a decision is based solely on automated processing of personal data intended to assess the data subject regarding his performance at work, financial standing, credit-worthiness, reliability or conduct, then the data subject shall have the right to request processing in a manner that is not solely automated.”

Re-consideration of the automated decision by an human is obligatory in these circumstances and must be done free of charge for the data subject.

The Board of the Personal Data Protection Authority (‘Authority’) is yet to issue a regulation specifying procedures relating to the submission and processing of the request under Article 22. Although, the Minister of Justice, Islamic Affairs and Awqaf has recently been tasked under Decree No. (78) of 2019 with the duties and powers prescribed under the PDPL for the Authority to date, no regulations have been issued regarding Article 22. What remains unclear is, whether in the absence of these processes, data subjects can exercise their rights under Article 22.

Further, the right to object under Article 22 expressly does not apply “in favour of the Data Subject, where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his legitimate interests have been taken, such as hearing the data subject’s view.”

It is worth noting that any person who incurs damage arising from processing of their personal data by a data controller (whether by automated means or otherwise) has the right under Article 57 of the PDPL to compel the data controller to pay compensation with a view to repairing the damage.

What does this mean for Banks in Bahrain?

The right to object only applies to decisions that are based solely on automated processing of personal data. Where a loan decision is not fully automated, the right does not apply.

As noted above, the Authority has not issued any guidance on the application of Article 22(2) of the PDPL. However, this PDPL provision appears to be based on Article (22)(2)(a) and 22(3) of the European

Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).

These equivalent GDPR provisions likely provide some guidance for interpretation of the PDPL. Under the GDPR, a data subject does not have a right to object to a decision based solely on automated means if:

• the decision based on automated means is necessary (i.e. no alternative method exists to achieve the same goal) to enter or to perform a contract between the data subject and data controller; and
• suitable measures are implemented to safeguard the data subject’s rights and freedom and interests.

Guidelines for the GDPR produced by the advisory body known as the Article 29 Working Party (or WP29), gives examples of ‘suitable measures’ that enable the data subject to obtain human intervention, express their point of view and contest the decision.

Consequently, if for example, an online bank in Bahrain is offering loans and a decision on whether or not a loan should be offered based on an algorithm is taken, it appears under the PDPL the bank should:

• review decisions when requested to do so by an applicant;
• provide the details of a contact person at the bank; and
• notify the applicant regarding its right to challenge the automated decision and to express its point of view.

Conclusion

Banks and other financers in the Kingdom of Bahrain do not necessarily use automated loan decisions for every type of loan offering considering that numerous factors make up their business strategies and lending decisions. However, if they do make a decision based solely on an algorithm or other automated process they need to be aware that:

• the applicant now has a statutory right to object to the automated decision; and
• even where the applicant does not have that right of objection, suitable measures have to be taken to safeguard the applicant’s legitimate interests.

For further information please contact, Andrew Fawcett (a.fawcett@tamimi.com) or Krishna Jhala (k.jhala@tamimi.com)